How the FBI weighs cybersecurity risks against other criminal threats

Leo Taddeo, chief information security officer at Cyxtera Technologies, discusses the continuous challenge of balancing incoming cyber threats with CNET's Dan Patterson.

How the FBI weighs cybersecurity risks against other criminal threats

CNET's Dan Patterson interviewed Leo Taddeo, chief information security officer at Cyxtera Technologies and a former FBI special agent in charge of cyber operations in New York City, about the continuous challenge of balancing incoming cyber threats. The following is an edited transcript of the interview.

Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.

Dan Patterson: When you have conversations with your colleagues, how do you prioritize learning versus action? And there are a lot of other priorities that the FBI works on in the, even the private enterprise work on, so how do you prioritize where and how to spend money and actions? What type of conversations do you have?

Leo Taddeo: Right. This is a continuing challenge for the FBI, for US law enforcement, and for the US intelligence community. And that is, how do you stack cyber threats against all of the other threats that are facing us? Counterterrorism, for example, is a program that can't be ignored. Our own FBI efforts against public corruption, and major crimes here in the United States can't be ignored.

So as an FBI executive, there's a balancing. You don't have infinite resources, you don't have unlimited budgets, and you have to allocate according to the potential impact that you are trying to prevent, the potential adverse impact that you're trying to prevent. So for someone like the Director of the FBI to remove agents from an important program like counterterrorism, and transfer them to the cyber program is an enormously difficult decision to make because what we address on the cyber program may wind up being unaddressed in a different program, and the answer for most of us is just hire more FBI agents and analysts and solve all of the problems that we have. But that's not such a simple solution.

SEE: Network security policy template (Tech Pro Research)

First of all, it's expensive, and there are other competing priorities within government. Second of all, it's difficult to find enough FBI agents and analysts that are qualified, that can pass background checks, that can accomplish the mission. And to deploy them effectively takes time. You can't just borrow a person off of the street, like you can, for example, in a private enterprise. If I needed 10 additional accountants, I can go to a consulting firm and they would provide 10 trained accountants for me, for the time that I needed them. That's not true with special agents. There is no private consulting firm that the FBI can go to, to surge when they need it. It's all organic.

So, in summary, it's a continuing challenge to balance all of the threats that we have, and to understand what the potential adverse impacts are, and to allocate the correct amount of resources given the unpredictability of the adversary.

Also see